Restore NPM_TOKEN to publish workflow#228
Merged
subtleGradient merged 1 commit intomainfrom Nov 12, 2025
Merged
Conversation
- Add NPM_TOKEN back to changesets action environment - Remove .npmrc experiment (didn't work) - NPM_TOKEN needed for authentication, --provenance uses OIDC for attestations - Token may be configured at organization level
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR restores proper npm authentication configuration for the changesets-based publish workflow by adding back the NPM_TOKEN environment variable and removing a malformed .npmrc experiment.
Key Changes:
- Adds
NPM_TOKENenvironment variable to the changesets action for npm authentication - Removes an incorrectly formatted
.npmrcfile that was part of a failed experiment - Maintains the
--provenanceflag for OIDC-based package attestations
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .npmrc | Removes malformed .npmrc file with invalid leading whitespace that would not have worked |
| .github/workflows/publish.yaml | Adds NPM_TOKEN environment variable required by changesets/action for npm registry authentication |
Comments suppressed due to low confidence (1)
.npmrc:1
- The removed
.npmrcfile had leading whitespace before theregistry=line, which would have caused parsing issues. The standard.npmrcformat doesn't allow leading whitespace on configuration lines. This removal is correct, but it's worth noting that if this file was intended to work, it was malformed.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kesavan-byte
pushed a commit
to osm-API/ai-sdk-provider
that referenced
this pull request
Feb 13, 2026
- Add NPM_TOKEN back to changesets action environment - Remove .npmrc experiment (didn't work) - NPM_TOKEN needed for authentication, --provenance uses OIDC for attestations - Token may be configured at organization level
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore
NPM_TOKENenvironment variable to the publish workflow. The token is needed for npm authentication while--provenanceflag uses OIDC for cryptographic attestations.Changes
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}back to changesets action environment.npmrcexperiment (didn't work - changesets looks for~/.npmrc, not repo.npmrc)--provenanceflag for OIDC attestationsHow it Works
NPM_TOKENsecret (may be configured at org level)--provenanceflag +id-token: writepermission uses OIDCContext
Previous attempts to use pure OIDC without a token failed with E404 errors. npm's OIDC support is specifically for provenance attestations, not for replacing token-based authentication entirely.